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IN THE CLAIMS 

Claims 1-10. (Canceled) 

1 1 . (Currently Amended) A computer-implemented reference monitor, 
comprising: 

a monitoring process, executing on a computer, which detects 
plural defined events and generates event messages; 

a storage device, on the computer, in which is stored real-time state 
information related to the event messages generated by the monitoring 
process; and 

a rule interpreting process, executing on the computer, which 
responds to characteristics of an event message of the information stored 
in the storage device and a set of rules by modifying operation of the 
computer by selectively computing a decision to allow or block activity 
according to the set of rules, the rule interpreting process further 
comprising: 

plural interceptors for identifying the activity; 

at least one rule which defines permissible resource 
references in view of an activity identified by the interceptors and 
the real-time state information, the interceptors operable to receive 
a sequence of events indicative of requests for operating system 
resources, the set of rules collectively defining a processing policy; 
and 

a rule interpreter which applies the rule to the identified 
activity i d e nt i f ie d and the real-time state information 
the monitoring process operable to implement the decision to block or allow the 
identified activity . 
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1 2. (Original) The computer-implemented reference monitor of claim 1 1 , 
wherein the set of rules is modified in response to the information stored in the 
storage device. 

13. (Original) The computer-implemented reference monitor of claim 12, 
wherein the set of rules is modified and wherein the information stored in the 
storage device is preserved when the set of rules is modified. 

14. (Original) The computer-implemented reference monitor of claim 11, 
further comprising an external event message generating process executing on 
another computer, wherein the external event message generating process 
communicates event messages to the rule interpreting process. 

Claims 15-20. (Canceled) 

21 . (Previously presented) The method of claim 1 1 wherein stateful reference 
monitor computes a decision based on the processing policy defined by the rules 
to block or allow the event to be transmitted. 

22. (Previously presented) The method of claim 21 wherein the rules further 
comprise compiled rule byte code operable to perform selection of an active rule 
set and an inactive rule set such that only a particular rule set is in effect at a 
particular time. 

23. (Previously presented) The method of claim 22 wherein the stateful 
reference monitor is further operable to overwrite the rule byte code in a 
predetermined memory area and overwriting revised result byte code to effect a 
revised active rule set; the rule set operable for dynamic modification during 
persistent system operation. 
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24. (Previously presented) The method of claim 23 wherein the rules defining 
allowable and disallowable activity further comprise a predetermined pattern of 
events and an identified prohibited pattern. 

25. (Previously presented) The method of claim 24 wherein the stateful 
reference monitor is further operable to: 

operate in a state collection mode, the state collection mode operable for 
gathering normal patterns of activity; 

subsequently operate in a lockdown mode, the lockdown mode operable 
to detect and distinguish predetermined patterns of events and the gathered 
normal patterns of activity; and 

identify detected patterns as unsafe based on user selection. 

26. (Currently Amended) An encoded set of processor based instructions on 
a machine-readable medium for performing a method of event processing 
employing a real-time stateful reference monitor including: 

a set of instructions defining a storage area where real-time state 
information is stored and from which the state information is restored; 

a set of instructions including a plurality of rules defining allowable activity 
based on a pattern of activity; and plural interceptors identifying and governing 
the activity by selectively computing a decision to allow or block activity based on 
an application of the rules to the activity; 

a set of instructions for correlating the state information across different 
ones of the plural interceptors, the process including the set of instructions which 
correlates the state information further comprising: 

a rule which defines permissible resource references in view of an 
activity identified by the plural interceptors and the real-time state 
information, the interceptors operable to receive a sequence of events 
indicative of requests for operating system resources; and 
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a rule interpreter which applies the rule to the identified activity 
id e ntif ie d and the real-time state information; 

a set of instructions for computing a decision based on the processing 
policy defined by the rules to block or allow the event to be transmitted, the rules 
further comprising compiled rule byte code operable to perform selection of an 
active rule set and an inactive rule set such that only a particular rule set is in 
effect at a particular time, the rules defining allowable and disallowable activity 
further comprising a predetermined pattern of events and an identified prohibited 
pattern; 

the set of instructions defining the identified prohibited pattern further 
comprising: 

a set of instructions for operating in a state collection mode, the 
state collection mode operable for gathering normal patterns of activity; 

a set of instructions for subsequently operating in a lockdown 
mode, the lockdown mode operable to detect and distinguish 
predetermined patterns of events and the gathered normal patterns of 
activity; and 

a set of instructions for identifying detected patterns as unsafe 
based on user selection , the set of instructions operable to direct the 
process to implement the decision to block or allow the identified activity . 

27. (New) A computer-implemented reference monitor, comprising: 

a monitoring process, executing on a computer, which detects 

plural defined events and generates event messages; 

a storage device, on the computer, in which is stored state 

information related to the event messages generated by the monitoring 

process; 

a plurality of rules defining allowable activity based on a pattern of 
activity; 
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plural interceptors identifying and governing the activity; and 
a rule interpreting process that correlates the state information 
across different ones of the plural interceptors, executing on the computer, 
which responds to characteristics of an event message of the information 
stored in the storage device and a set of rules by modifying operation of 
the computer by selectively computing a decision to allow or block activity 
according to the plurality of rules, the rule interpreting process further 
comprising: 

at least one rule which defines permissible resource 
references in view of an activity identified by the interceptors and 
the real-time state information, the interceptors operable to receive 
a sequence of events indicative of requests for operating system 
resources, the set of rules collectively defining a processing policy; 
and 

a rule interpreter which applies the rule to the identified 
activity and the real-time state information, 
the monitoring process operable to implement the decision to block or allow the 
identified activity. 

28. (New) The computer-implemented reference monitor of claim 27, 
wherein at least one of the plural interceptors is a pre-existing element of a 
conventional computer operating system. 

29. (New) The computer-implemented reference monitor of claim 27, 
wherein the rule interpreting process that correlates the state information further 
comprises: 

a rule which defines permissible resource references in view of activity 
identified by the interceptors and the state information, the rules defining a 
processing policy; 
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a rule interpreter which applies the rule to the activity identified and the 
state information; and 

a stateful reference monitor operable to compute a decision based on the 
processing policy to block or allow the event to be transmitted. 

30. (New) The computer-implemented reference monitor of claim 29, 
wherein the rule can be modified without restarting the real-time reference 
monitor. 

31 . (New) The computer-implemented reference monitor of claim 29, 
wherein the storage area has contents which are preserved when the rule is 
modified. 

32. (New) The computer-implemented reference monitor of claim 27, wherein 
the plural interceptors correspond to more than one resource type and wherein 
the storage area is a single storage area. 

33. (New) The computer-implemented reference monitor of claim 27, further 
comprising: 

an application program interface that can send messages to application 
programs on the same system. 

34. (New) The computer-implemented reference monitor of claim 33, further 
comprising: 

an application program interface that can send messages to application 
programs on other systems. 

35. (New) The computer-implemented reference monitor of claim 27, wherein 
the plural interceptors monitor two or more of file access, registry access, 
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network access, object access, system call access, keyboard access, external 
inputs and user input. 



